Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

MTU SETTING

Posted on 2006-11-20
5
Medium Priority
?
956 Views
Last Modified: 2013-11-16
Right now our MTU on the pix is 1500 on inside and outside.

The cisco vpn client sets up at 1300 by default.

What will it effect by changing it from 1500 to 1300 to match the vpn client default?

We use sbs echange and remote web workplace internally.

I figured its easier to change it on the pix itself, rather than re-writing the install client to match the 1500 setting on the pix. I am about to be rolling out a lot of these vpn clients so i wanted to make it as smooth as possible. Please let me know what's best and what will be effected by the change being made at the firewall. Thanks in advance.
0
Comment
Question by:jaysonfranklin
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 800 total points
ID: 17982851
I would highly recommend leaving the PIX interface at the default and letting the VPN client software change the client end. The clients will typically be connecting from almost anywhere. It's the network endpoint closest to the user that can affect the MTU.
I have never seen any valid reason to change the firewall's MTU with the lone exception of DSL/PPPoE connections where the PIX itself is the PPPoE client and the MTU gets adjusted to 1492 to account for the extra 8-byte PPPoE overhead.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17982895
So, do you think leaving the vpn clients setting at 1300 while the pix outside int is at 1500 isnt a big deal?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17983027
I do not think it is a big deal. I think it is the right thing to do.
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 400 total points
ID: 17983391
Leave both MTUs alone.  If there ever becomes a case where an intermediary MTU is low enough to cause fragmentation, then there's something called PMTU Discovery that will help you out.
PMTU Discovery is a process by which a client negotiates optimum MTU with a server by means of ICMP messages.
Fortunately for us, it's built into all modern TCP/IP stacks (PIX, VPN Client and DSL networks included!), so there's really no need to muck around with MTUs anymore.  It was a bit different 10 years ago with dial-up connections, and paranoid sec admins who disabled ICMP.  But these days, one would hope things are different.  Apart from the last bit.  I still come across the odd setup where an admin has incorrectly disabled all ICMP at his/her perimeter.  It's not called 'Internet Control' MP for nothing!  :)

0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 400 total points
ID: 17984886
Agree with others on leave it alone unless there is other reasons. Now if you are thinking about changing it because your VPN Client has 1300 and PIX at 1500.

You have to imagine the connection. Say a normal packet will be 1500 odd but when you have ipsec vpn into it, you're adding more fields in it and the packet gets a little bigger, so in order to avoid fragmentation it is better to have it as 1300 (which even I find it very optimal to work while I'm in India and the pix is in US especially with voip clients).

As well, the connection type of the vpn client needs to take this into consideration. I'm sure it will be lower than the pix site ?

Cheers,
Rajesh
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month13 days, 3 hours left to enroll

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question